Gunnar Peterson’s OS Security Features Chart
Thomas Ptacek | November 21st, 2006 | Filed Under: Apple, Defenses, Uncategorized
From the comments on the last story; this was too good to pass up (but got saved grainy, so I redid in Graffle). Note: OS X does have an NX stack now, but I don’t want to modify Gunnar’s chart. Note also: this slide is currently sourced to Rich Johnson.
Section Reordering lines up executable image sections so that a single data overflow can’t take out, say, the global offset table.
EXE randomization, a la PIE, randomizes the layout of text sections in position-independent code.
DLL randomization makes the base addresses of DLLs random so that shellcode won’t know the address to jump to to reach sensitive functions.
Frame Protection for the stack inserts unpredictable cookie values and runtime checks to make sure stack frames aren’t overwritten.
Exception Checks do the same thing for exception handlers, which are function pointers stored in reliable locations and a target for overflows.
Local Variable Protection creates checked guard values next to overflowable stack buffers.
Stack Randomization makes stack address offsets unpredictable.
Nonexecutable stacks use hardware page protection to prevent code from running on the stack at all, meaning shellcode needs to be stored somewhere else.
Heap Metadata Protection a la Win32 XOR’s key fields in the allocator tracking structures so that they don’t have predictable valid values.
Randomization in the heap works like randomization in the stack, and
The heap can also be made non-executable.
There are features that aren’t covered in Gunnar’s chart. For instance, OpenBSD deserves ticks for Niels Provos’ Systrace, which allows the OS to revoke capabilities from programs entirely. Win32 uses cryptographic signatures for code loaded in certain environments. Windows also supports managed code. Even Cisco IOS had an elaborate periodic heap sanity checker. MacOS X does not yet have any of these features.
November 21st, 2006 at 5:25 am
Let’s see if “many security features” translates to “very secure”. I hope so.
November 21st, 2006 at 6:23 am
afaik according to some standard, horizontal text should be being read from the right side. that’s wrong on that image.
and where is network security, like TCP id randomization, syncookies, etc?
MACs? system, syscall auditing support?
November 21st, 2006 at 6:45 am
Unfortunately, it looks as though that chart was taken directly from my slide deck from Toorcon on Vista Exploitation Countermeasures. I don’t actually see the chart on Gunnar’s site, but you provided the context that was given in the talk, so thanks. The full slides are at http://rjohnson.uninformed.org/toorcon8/rjohnson%20-%20Windows%20Vista%20Exploitation%20Countermeasures.ppt
Cheers,
Rich
November 21st, 2006 at 9:04 am
Moritz: name one of those features that won’t translate to better security, and provide a quick justification.
These aren’t features like encrypted home directories that people have to “use”. These are features that automatically make the operating system more resilient to the same types of attacks that Macs face and don’t deal with.
November 21st, 2006 at 9:06 am
Gergely, that chart is dedicated to runtime security features. I could make that clearer. I got it from a comment Gunnar Peterson left to the previous post, so, out of context, I take your point.
Note that on those other features, Windows compares favorably as well.
November 21st, 2006 at 9:23 am
I actually got this from Mike Howard’s OWASP talk
http://blogs.msdn.com/michael_howard/
2nd day keynote
http://www.owasp.org/index.php/OWASP_AppSec_Seattle_2006/Agenda
I added further comments here
http://1raindrop.typepad.com/1_raindrop/2006/10/whatever_happen.html
The main one being that if people at IBM, Sun, and Apple can see past religion (always questionable) they have a good model to follow.
November 21st, 2006 at 10:39 am
“they have a good model to follow”
http://www.tw.openbsd.org/papers/ven05-deraadt/index.html
MS should give Theo some cash. They obviously think alike, and it’d be fun to see how it gets covered in Slashdot.
November 21st, 2006 at 11:11 am
I guess. The thing you like about Theo’s methodology is that he drives straight to a principal, like, “everything that is executable should be read-only in memory”, then, without thinking of specific exploits, works to consistently apply that principal. W^X is a good example.
The thing I don’t like about Theo is his dogma about POSIX and compatibility. Notice that in Theo’s talk he talks about privsep, but not about systrace? But privsep is objectively inferior to systrace (continuing this silly idea that a process confined to a “nobody” uid and a chroot directory is somehow safe); unfortunately, Theo didn’t invent it and it breaks POSIX.
I agree with the sentiment, though; the fact that we can favorably compare Win32 with OpenBSD speaks volumes about how far Microsoft has come. I’d rather eat a bug than use Windows, but, fair is fair.
November 21st, 2006 at 11:13 am
Rich, how is that unfortunate? It’s a neat chart.
You’re credited now, I think. =)
November 21st, 2006 at 11:39 am
The items in the chart are run-time exploit prevention techniques. They do not reflect the quality of code put into each of those operating systems. With that said, nice posts
November 21st, 2006 at 1:40 pm
Ptacek: On the subject of what Theo did or didn’t invent, I believe Niels Provos invented both systrace and privsep.
I also don’t believe many people consider privsep to be “safe”; it’s an obstacle and ideally there should be enough obstacles/logging that intruders are noticed before they get from the chroot jail to successfully exploiting the kernel or the privileged parent process.
November 21st, 2006 at 2:26 pm
Alex: I operate under the delusion that if Theo approves of something, he probably had a hand in writing it. But I apologize if I miscredited something.
Is privsep an obstacle? I guess. What I’m pointing out is that in 2006, the attack trajectory might not be remote -> local -> root, it might be remote -> local -> remote or remote -> local -> localhost service.
November 21st, 2006 at 4:10 pm
Thanks for the correction, I realize the confusion now, and it’s largely due to me crawling the web so late.. sorry Gunnar.
It’s been mentioned already, but the chart was specific to platform security features that result in an altered memory footprint or are designed to prevent memory corruption. The other technologies mentioned here, such as execution flow restrictions and privilege separation, are interesting in their own regard and it would be nice to see a continued interest in comparing host security technology.
November 22nd, 2006 at 2:24 am
Tom,
Rich’s chart is pretty cool. But while you’re busy grinding your heel into Gruber’s face (”take that, you pixel flipping, no-security-knowledge-having hack!”) it would be a little more honest if you pointed out that the exhibit was sourced from Microsoft. Of course the chart is going to make them look the best relative to other operating systems — they made it. Depending on the problem space is framed, other folks could probably come up with alternatives that favored their OSes.
November 22nd, 2006 at 5:40 pm
Andrew - while I cannot disclaim any bias, I’d like to point out that I’ve been at MS all of 6mo and I have done prior public research on comparing platform security. The categories listed above are fair and apply specifically to hardening the memory environment that attackers try to manipulate when writing exploit code. The fact remains that Microsoft, Red Hat and OpenBSD have adopted memory hardening technologies and Apple has not. Surely this will be on the radar for them now if it wasn’t before, and that is part of the end-goal.
November 23rd, 2006 at 12:57 am
Andy,
I’d love to see a chart that shows about hardening technologies, and what other operating systems are doing. The things that spring to mind are chroot, jails on BSD, Apparmor on linux. Systrace has been mentioned. (In that same containment goal, we could talk about mandatory integrity control in Vista, which is also not on the chart.)
What categories should be there, and what should be in the categories?
Adam
(Who also works at MS, but isn’t an old timer like Johnson.)
November 23rd, 2006 at 6:43 pm
ok, how about including network stack mechanisms (like a bi-directional stateful inspection firewall, traffic shaping/normalization, cryptographically strong randomization used in allegedly random data, etc). How about including application security mechanisms in default application shipped with the OS. How about the security posture derived from default OS configuration?
The chart is great but it applies to a specific area of interest: security against code-injection exploits (and in case you did not notice I do make a subtle distinction code-injection != code-execution ). Also, the chart shows features that improve the security posture of the OS but it does not show those features that are likely to decrease it and I’d like to see how they all do on that one.
December 6th, 2006 at 9:08 am
nx on mac os x (intel cpu):
Does mac os x enfore that writable pages can’t be executable in the whole mem space? Or just the stack?
January 12th, 2007 at 9:04 pm
Mac OS X Security Myth #3: Mac OS X Has More Security Designed In
Following up on Mac OS X Security Myth#1 (fewer vulns) and Security Myth#2 (nobody attacks), this post
February 19th, 2007 at 10:03 am
Uhm, did Microsoft make the original chart? I found the original post of it here http://1raindrop.typepad.com/1_raindrop/2006/10/whatever_happen.html (you link to the blog itself) and I noticed that his graph is significantly different than all the other images/graphs on his blog.
And with the post content itself, it says Michael Howard (a “Simple Security” Guy at Microsoft) gave a presentation. Then it says “This slide summarizes protections against a variety of exploits across systems:”. I bring your attention to the words “this slide”, which makes it seem like the slide/graph comes from Microsoft’s Security Guy’s Presentation.
Why do I mention this? I thought it was odd that Mac OS X had no checkboxes and Vista had all but one checkbox. Also, it doesn’t mention the stack protection even though it’s been on the ICBMs since their introduction in Jan (and is why OS X no longer supports nested functions).
February 19th, 2007 at 10:41 am
Ack, my bad. Wtf, how did I miss the comments to this? Ok, so this chart was created by Microsoft to advertise Vista’s security features.
Not sure how the hell I missed all these comments. Apologies.
I just saw this chart being linked to from a lot of different websites with no source. And it was odd since all of them had the same glaring error about NX and OS X.
But yeah, apologies for not seeing the comments first. Still no idea how I did that.
February 25th, 2007 at 5:13 pm
Adam’s comment is the most apt. The given chart is a fine list for hardening applications from various attacks. But I despair of ever seeing a large piece of software (IE, firefox, thunderbirg, Safari, etc.) that is realiably safe all by itself. The listed technologies all harden large programs, and that is a good thing.
But jails/sandboxes/virtual machines and similar belt-and-suspenders approaches seem to be the only technology currently available to shut down successful attacks on the underlying operating systems. This idea isn’t new: Multics’ rings or Java’s runtime environment could in principal provide this protection. The challenge is to provide performance and features without punching holes in the containment technology (i.e. native methods in Java.)
This is a fine list from Microsoft (or whomever), and it ought to be propagated, expanded, and create marketing excuses for improving the security of future software.
March 19th, 2007 at 6:28 pm
Where has the chart image gone?? It’s a very handy comparison to link…